- From: Mark Nottingham <mnot@mnot.net>
- Date: Sun, 17 Jul 2011 16:03:18 +1000
- To: Amit Klein <aksecurity@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, Henrik Nordström <henrik@henriknordstrom.net>, Lisa Dusseault <lisa.dusseault@gmail.com>
My understanding was that these holes had been closed, and that while there are undoubtedly still some clients out there that allow Host headers to be set, it's not an attractive attack to make now. What's the current state of things? On 17/07/2011, at 3:48 PM, Amit Klein wrote: > In the past (and this may re-incarnate) it was possible for clients to > provide arbitrary Host headers with HTTP requests, thus rendering the > Host header verification defense somewhat useless. See e.g.: > http://archive.cert.uni-stuttgart.de/bugtraq/2006/09/msg00090.html > > > 2011/7/17 Mark Nottingham <mnot@mnot.net>: >> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/100> >> >> We've had this ticket open for a while now. >> >> Relevant text in our current draft: >> <http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-15#section-11.4> >> >> AIUI DNS pinning is no longer considered an adequate defence against rebinding, and the current advice is for servers to verify the Host header. >> >> If that's correct, I think we can close this issue with no change. >> >> Thoughts? We should also probably circulate with some security folk. >> >> >> -- >> Mark Nottingham http://www.mnot.net/ >> >> >> >> >> -- Mark Nottingham http://www.mnot.net/
Received on Sunday, 17 July 2011 06:03:45 UTC